The seven lanes

Three card networks now run distinct agent-pay programmes alongside an emerging set of token and wallet specifications. Mastercard launched Agent Pay in April 2025 with Agentic Tokens; the developer programme expanded in September 2025 to include Stripe, Google, and Antom. Visa published the Trusted Agent Protocol in October 2025 with Cloudflare and grew its Agentic Ready testing programme to 85-plus issuer partners in Asia Pacific and Latin America by April 2026. Stripe shipped its Agentic Commerce Suite in December 2025, introducing Shared Payment Tokens and one-time card generation for agent flows. In Q1 2026 earnings, Mastercard disclosed that Agent Pay is enabled across nearly all of its cards globally. None of the three networks has published a joint interoperability specification; each programme defines its own token format, dispute path, and merchant-attestation flow. This hub tracks every public deployment, partnership, and technical-spec change across the three networks plus stablecoin and bank-to-bank rails moving into agentic flows. Across all three programmes, the merchant-facing surface is the same — an agentic checkout endpoint that accepts a token, a delegated authorisation, and a dispute path.

AI-surface product discovery has crystallised across a handful of platforms in late 2025 and early 2026. OpenAI launched ChatGPT Shopping Research in November 2025 using a reinforcement-trained GPT-5 mini variant that combs the web for product-by-product comparisons. Google activated direct shopping inside AI Mode in February 2026 with Direct Offers, Business Agent chat, and sponsored formats. Stripe disclosed a Google partnership in April 2026 enabling merchant checkout inside Gemini and AI Mode for Wix, BigCommerce, and WooCommerce stores via the Agentic Commerce Suite. Perplexity launched a free shopping agent backed by PayPal Instant Buy in November 2025. OpenAI retired its merchant-of-record model in March 2026, shifting to brand-owned checkout flows that hand the consumer back to the merchant after agent-led discovery. McKinsey estimated agentic commerce at $3–5 trillion globally by 2030. A unified feed standard for agent-readable product data remains unresolved at Schema.org. This hub tracks the platform launches, ranking signals, and feed-spec changes that shape which merchants agents surface. AEO marketing as a discipline now spans feed-spec engineering, schema markup, and direct platform integrations with the major AI surfaces.

Open interoperability specifications for agentic commerce are advancing in parallel across foundation, vendor, and network venues. Anthropic published the Model Context Protocol in November 2024; the one-year-anniversary spec in November 2025 added asynchronous Tasks and improved OAuth handling. Google published the Agent-to-Agent protocol at Cloud Next in April 2025 and followed in September 2025 with the Agent Payments Protocol backed by 60-plus partners. The Linux Foundation formed the Agentic AI Foundation in December 2025 with MCP, Block's goose, and OpenAI's AGENTS.md as founding projects. Google and Shopify co-launched the Universal Commerce Protocol at NRF in January 2026; Amazon, Meta, Microsoft, Salesforce, and Stripe joined its ten-member Tech Council in April 2026. The FIDO Alliance formed agentic-commerce working groups in April 2026, accepting AP2 v0.2 and Mastercard's Verifiable Intent as founding contributions. No specification has reached v1.0 across a multi-vendor implementer base; most live deployments run on draft or vendor-specific variants. This hub tracks every spec publication, working-group formation, and interop-event outcome across the open-standard layer.

Cryptographic agent credentialing, delegation chains, and verified-merchant signals are advancing across foundations and the FIDO/OpenID stack. The OpenID Foundation published a whitepaper on AI-agent identity management in October 2025 covering authentication, authorisation, and revocation for autonomous agents. The Foundation opened self-certification for Verifiable Credential specifications in February 2026, including OpenID4VP, OpenID4VCI, and HAIP 1.0 — the first formal conformance path for VC implementations. The FIDO Alliance formed an Agentic Authentication Technical Working Group in April 2026, chaired by CVS Health, Google, and OpenAI, to define how AI agents authenticate and act on behalf of users. Mastercard's Verifiable Intent framework uses selective-disclosure cryptography to create a tamper-resistant record of consumer authorisation for an agent's transaction; both AP2 v0.2 and Verifiable Intent were open-sourced at the April 2026 FIDO Alliance announcement. Cross-network interoperability between Visa, Mastercard, and the FIDO/OpenID layer remains unresolved. This hub tracks every credential-spec release, working-group charter, and live deployment of agent-identity infrastructure.

Threat vectors specific to agent-initiated commerce are being measured for the first time in late 2025 and early 2026. Visa's PERC Fall 2025 report documented a 450-percent increase in dark-web posts mentioning AI-agent fraud tools. A Google Security Blog study published in April 2026 found 15,300 prompt-injection instances across 11,700 web pages, a 32-percent rise from November 2025 to February 2026. Prompt injection in product descriptions is the leading attack surface identified across both reports — adversarial sellers embed instructions designed to hijack a shopping agent's reasoning at the catalogue layer. OWASP has active working groups on agentic-system threat models. The two published studies represent the first quantitative measurement of prompt injection at commercial scale across retail-facing web content; vendor-side mitigations (input sanitisation, structured tool schemas, sandboxed execution) remain in vendor-specific draft form. This hub tracks the published research, vendor disclosures, and incident reports that map the agentic-commerce attack surface.

Government, judicial, and regulatory response to agent-initiated commercial transactions is in early formation. A US federal judge granted Amazon a preliminary injunction in March 2026 barring Perplexity's Comet AI browser from accessing Amazon accounts, citing password-protected system access — the first US federal ruling directly addressing AI-agent access to a commercial platform. The UK Financial Conduct Authority published its 2026 Payments Regulatory Priorities in March 2026, stating it will consider whether existing payment rules require changes to accommodate agentic AI payments. No jurisdiction had published binding rules specific to agent-initiated transactions as of April 2026. The European Banking Authority and the Bank for International Settlements have included agentic AI in their technology-watch outputs without published rule-making. State-level US activity has so far produced consumer-protection guidance but no statute. This hub tracks every regulatory filing, judicial ruling, and central-bank publication that touches on AI-agent commercial transactions, plus vendor-side policy responses.

Live agent-commerce deployments at retailers and financial institutions began landing in volume in late 2025. Walmart launched ChatGPT Instant Checkout with OpenAI in October 2025; Walmart disclosed in March 2026 that it achieved 1.18-percent conversion versus approximately 3.5-percent on Walmart's own website — the first quantitative pilot result published by either party. Amazon rolled out auto-buy and agentic upgrades to Rufus for 250 million users in November 2025. Mastercard and Australian banks completed Australia's first authenticated agentic transactions in January 2026; Santander and Mastercard completed Europe's first live end-to-end AI-agent payment in March 2026. Ulta Beauty deployed a Gemini-powered shopping agent and UCP agentic checkout in April 2026, the first major retailer to ship UCP end-to-end. The set of live deployments now spans the three card networks, two hyperscaler agents, and at least one open protocol. This hub tracks every public deployment, results disclosure, and pilot expansion across retailers, financial institutions, and AI-agent vendors.